Petrwrap, a new ransomware strain that uses the same SMBv1 worm employed by last month's WannaCry outbreak, is crippling businesses, banks, airports, and utilities across Europe with Ukraine's government and state-run services at epicenter of the damage.

As security teams work to beat back a new ransomware strain that is quickly spreading across Europe and beyond, there are uncomfortable questions that have to be asked: Why is a ransomware strain employing the same vulnerability WannaCry used causing so much damage? Why haven't businesses patched their systems and improved their defenses after the last month's worldwide WannaCry wakeup call?

"Given the notoriety that WannaCry achieved, it’s surprising to see that organizations are falling victim to a vulnerability that has been public knowledge since earlier this year," Andrew Avanessian, vice president of the security firm Avecto, tells Spiceworks.

He continues: "There’s no silver bullet, but it’s critical that businesses implement security best practice, including regular patching, application control and removing admin rights. In our testing we found that these simple measures prevented the majority of cyber attacks, and I’d be very surprised if that wasn’t the case in this instance, too."

Costin Raiu, a security researcher at Kaspersky Labs, identified the ransomware strain as Petrwrap, saying the sample he tested had been compiled on June 18, 2017. A variant of the Petya ransomware strain that was discovered last year, Petrwrap appears to be unknown to a majority of antivirus vendors. According to VirusTotal, only 15 out of 61 antivirus products are detecting the malware.

So far, Petrwrap is reported to have hit government centers and infrastructure around Europe. In Ukraine alone, the ransomware shut down government buildings, the state-run bank, key infrastructure, an airport, and other utilities, prompting the government to issue a public announcement on Twitter that leveraged a popular meme:

Some of our gov agencies, private firms were hit by a virus. No need to panic, we’re putting utmost efforts to tackle the issue 👌 pic.twitter.com/RsDnwZD5Oj

Petrwrap also shut down "systems monitoring radiation at the site of the former Chernobyl nuclear power plant, where computers running Windows were temporarily knocked offline," according to the Washington Post. But the damage was not restricted to Ukraine: Russia's state-owned oil company Rosneft, the Danish Maersk conglomerate, a British company called WPP, as well as companies in the U.S. and India reported outages.

Why is this happening again?

But all of this still leaves a key question unanswered: Why is this happening again?

"If we look at the attack, it’s leveraging a vulnerability that’s been out there for some time," Avanessian says referring to EternalBlue, a Windows-specific SMBv1 exploit leaked by a hacking group called The Shadow Brokers who claim to have stolen hacking tool from the National Security Agency (NSA). "EternalBlue was leaked from the NSA in April, and we predicted shortly afterwards that we would see copy cat attacks."

But WannaCry used EternalBlue as well, leading to widespread calls for businesses, government agencies, and individuals to patch their systems. Microsoft even went so far as to release a patch for the aging Windows XP operating system to help protect people against the attack.

And while Avanessian says he's seen a great deal of organizations apply those patches, he makes it clear that a great deal of them also have not. Moreover, he says, "a lot of organizations don't get the security basics right."

But Avanessian emphasizes that Petrwrap is a more sophisticated attack than WannaCry.

"WannaCry was a quite sloppy attack in many respects," he says. "It had a kill switch built in that talked to a command center — we think it was detecting whether WannaCry was working on a virtual machine or not."

He continues: "Petrwrap is more sophisticated: Once it’s on a PC, it overrides the master boot record on the hard disk thereby corrupting the operating system. When you reboot that machine, it boots up into a mini-version of an operating system installed by Petrwrap. That operating system takes hold of the PC and puts it in the firm control of the cyber criminals."

WannaCry didn't do this. Instead, victims were able to boot their computers up and clean the system manually. "It's harder to do this with Petrwrap," Avanessian says. "Plus it can propagate quickly across environments in the same way as WannaCry."

Still, he's firm on one point: "This instance again shines a light on the need for companies to focus on prevention when it comes to cyber security, rather than being passive and assuming there will be a cure when the worst happens."

Did you apply all your patches after the WannaCry outbreaks? Were you hit by Petrwrap? Let us know in the comments below!

117 Replies

"Petrwrap is more sophisticated: Once it’s on a PC, it overrides the master boot record on the hard disk thereby corrupting the operating system. When you reboot that machine, it boots up into a mini-version of an operating system installed by Petrwrap. That operating system takes hold of the PC and puts it in the firm control of the cyber criminals."

Some of the reports I've seen suggest the lateral infection methods used are not limited to EternalBlue and as such aren't always affected by patching that particular exploit. Initial infection seems to be via Excel or Word files with macros.

How embarrassing it would be if the pride and joy of the UK navy would be infected with Petrwrap as it's computers still run on Windows XP. With a price from 4000000000 € they could at least have used a more recent operating system.

It's hard to think that these companies don't understand that using windows XP for some outdated piece of software is going to end up costing you so much more in the long run instead of finding a newer solution. No instead lets cut out our IT department because it's always just a "cost" on our bottom line. With this much notoriety there is no excuse for systems not being patched. It's frustrating to see this kind of thing happen when it has such a simple fix.

Anyone who thought that there wouldn't be something else on par to WannaCry this year needs to pull their head from the sand. Everyone saw how widespread it was and how it could have been worse if it was built better. It's obvious some criminal organization saw that and said "I could do it better and make more money". Many experts said as WannaCry wound down to take notice, and we see that not everyone did. Hopefully they'll take notice now.

I believe this is exactly the reasoning behind MS forcing windows updates on us with windows 10. Companies and People cannot be bothered to do what is in there best interest by staying up to date, which then allows problems like this one to arise

Anyone who thought that there wouldn't be something else on par to WannaCry this year needs to pull their head from the sand. Everyone saw how widespread it was and how it could have been worse if it was built better. It's obvious some criminal organization saw that and said "I could do it better and make more money". Many experts said as WannaCry wound down to take notice, and we see that not everyone did. Hopefully they'll take notice now.

^ The only ones getting infected are the ones who didn't hear the CRY of the first round... Pure laziness is definitely to blame.

I believe this is exactly the reasoning behind MS forcing windows updates on us with windows 10. Companies and People cannot be bothered to do what is in there best interest by staying up to date, which then allows problems like this one to arise

Let me guess. This is the fault of either Russia, North Korea or China.....

NSA is the real culprit as the exploit is based on EnternalBlue they used for spying purposes. Not that NSA is behind this particular attack, but it is their leaked exploit that they could not protect and chose not to tell Microsoft about that is the root of this and WannaCry previously..

It's hard to think that these companies don't understand that using windows XP for some outdated piece of software is going to end up costing you so much more in the long run instead of finding a newer solution. No instead lets cut out our IT department because it's always just a "cost" on our bottom line. With this much notoriety there is no excuse for systems not being patched. It's frustrating to see this kind of thing happen when it has such a simple fix.

WOULDN'T IT BE GREAT IF THERE WAS A SIMPLE PATCH TO MITIGATE THIS RISK

I feel no pity for any of these victims. They are not a victim of ransomware so much as they are a victim of their own laziness.

I realize nobody is always 100% immune and to think so is foolish, but in this case... SMH. Eat that crow, eat it up and like it

Ideally yes everyone should be patch due to third party customized solution this not always possible.

I do agree they should take extra effort locking down firewalls and switches patching what they can but they are many places it lacks resources, custom customer solutions, windows when they can update etc.

Starting with Windows 7 there was a MBR lock put in place by the OS on UEFI systems. You either have to be running an old BIOS or be an administrator to turn this off. Once again, not running as an Administrator on a newer version of Windows would provide some protection.